Distributed, fault-tolerant communication systems are used, for example, in applications where a failure could possibly result in injury or death to one or more persons. Such applications are referred to here as “safety-critical applications.” Examples of safety-critical applications are in a system that is used to monitor and manage sensors and actuators included in an airplane or other vehicle. One example of a safety-critical application is in a system that is used to monitor and manage sensors and actuators included in the fields of automotive, aerospace electronics, medical, industrial control, and the like.
One architecture that is commonly considered for use in such safety-critical applications is the Time-Triggered Architecture (TTA). TTA, TTP/C, and TTP/A are described in specifications promulgated by TTTech Computertechnik AG. TTP/C uses time-division multiple access (TDMA) as the medium access strategy where each node is permitted to periodically utilize the full transmission capacity of the bus for some fixed amount of time called a TDMA slot. Thus as long as each node uses only its statically assigned slot, collision free access to the bus can be ensured.
Many systems today operate with complex electronics systems that have the capability to support operations and maintenance functions. For example the aerospace industry supports an electronics architecture for safety and non-safety critical systems. Other industries including automobile and industrial equipment can benefit from similar electronics architecture. Electronics architectures include time division multiple access (TDMA) based communication protocols. These electronics architecture have required independent guardian components to contain erroneous component behavior and maintain communications availability. In high volume applications the guardian application is often centralized to reduce costs.
To date the implementation of a centralized bus guardian function for time division multiple access (TDMA) based communication protocols, requires the guardian to have independent knowledge of the communication schedule and timing parameters, such as slot order, transmission start time, etc. This has required the guardian functionality to incorporate non-volatile storage, and has resulted in complicated programming requirements for the guardian based data. It has further introduced the possibility of failure in the form of inconsistency between the guardian and the nodes it is protecting. In addition, this strategy requires the guardian to maintain a state, in the form of transmission order and current slot position, which leaves the implementation vulnerable to state upsets, such as those induced by high energy neutrons. Also with the centralization of the protection mechanism, the guardians themselves become critical architecture components. Therefore the complexity of the guardian design may be a significant issue in the safety critical domain. In certain domains gate level failure analysis may be required, in which case the complexity of the guardian will have significant financial impact.
Therefore, there is a need in the art to reduce the complicated programming requirements for the guardian.